restricted_attributes 1.0.0

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2011 [name of plugin creator]
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README

@@ -0,0 +1,499 @@
+RestrictedAttributes
+====================
+
+This restricted_attributes plugin provides the capabilities to restrict attributes(fields) 
+of db table's while add or update a record. It validate your attributes values before
+your validation stuff.
+
+Features
+========
+
+ - Provides four different ways of restriction on fields (i.e read_only, create_only, update_only and hidden)
+ - Restrict to add/modify values of particular attributes at model level while creating/updating a record.
+ - Restrict functionality perform at before validation.
+ - Able to set restriction on instance varibles also.
+ - OPTIONAL : It can also works on the basis of declarative_authorization roles system.
+ - So, able to set role wise restriction/permission on various users to change the value of an attributes.
+
+
+
+
+*NOTE: Try its simple version(i.e simple_restricted_attributes plugin) if you are NOT using declarative_authorization plugin/gem. Find more information about that plugin on following link
+(More Info - https://github.com/gkathare/simple_restricted_attributes)
+
+
+
+
+
+Method
+======
+has_restricted_attributes(options = {})
+  
+  This method accepts the options in a hash:
+    
+    1 :read_only            # In this you can add attributes to restrict from add/update the value.
+    			    # Access attributes values:  can read,  But can't add or modify
+                            # Format for single attribute -
+                            # :read_only => :name or :read_only => "name"
+                            # Format for array of attributes -
+                            # :read_only => [:name, :bio] or :read_only => ["name", "bio"]
+
+    2 :create_only          # In this you can add attributes to restrict from update the value.
+    			    # Access attributes values: can read and add,  But can't modify.
+                            # Format for single attribute -
+                            # :create_only => :name or :create_only => "name"
+                            # Format for array of attributes -
+                            # :create_only => [:name, :bio] or :create_only => ["name", "bio"]
+
+    3 :update_only          # In this you can add attributes to restrict from add the value.
+    			    # Access attributes values: can read and modify,  But can't add.
+                            # Format for single attribute -
+                            # :update_only => :name or :update_only => "name"
+                            # Format for array of attributes -
+                            # :update_only => [:name, :bio] or :update_only => ["name", "bio"]
+
+    4 :hidden_only          # In this you can add attributes to restrict from add/update the value.
+    			    # Mainly used with 'is_restricted?()' helper Method & instance Method to
+			    # check has a read access or not.
+			    # Access attributes values: can read,  But can't add or modify.
+			    # Format for single attribute -
+                            # :hidden_only => :name or :hidden_only => "name"
+                            # Format for array of attributes -
+                            # :hidden_only => [:name, :bio] or :hidden_only => ["name", "bio"]
+
+    *5 :declarative         # IMPORTANT - Useful only if you are using declarative_authorization
+                            # plugin or gem in your application.
+                            # -Provides capability to set restriction on the basis of
+                            #  declarative_authorization(plugin/gem) role system.
+                            # -So you can restrict/permit to change the value of a
+                            #  attributes role wise for various users in the application.
+
+                            # Format - :declarative => false or :declarative => true .
+                            # Use :declarative tag if you want follow role system with
+                            # declarative_authorization.
+                            # Default - it is false (:declarative => false) .
+
+                            NOTE: if you are using :declarative => true then first you need create
+                                 permissions.yml file in your Project/config folder.
+
+
+    6 :read_only_message    # validation message for read_only attributes
+                            # Format - :read_only_message => "blah blah"  (string type)
+                            # Default message - "is a read only attribute."
+
+    7 :create_only_message  # validation message for create_only attributes
+                            # Format - :create_only_message => "blah blah"  (string type)
+                            # Default message - "can't update, its permitted to create only."
+
+    8 :update_only_message  # validation message for update_only attributes
+                            # Format - :update_only_message => "blah blah"  (string type)
+                            # Default message - "can't add, its permitted to update only."
+
+    9 :hidden_only_message  # validation message for hidden_only attributes
+                            # Format - :hidden_only_message => "blah blah"  (string type)
+                            # Default message - "is a hidden attribute."
+
+
+Requirements (Only if you want to use :declarative tag feature)
+==============================================================
+
+ - declarative_authorization plugin/gem.
+
+ - create permissions.yml file in your Project/config folder.
+
+config/permissions.yml
+---------------------
+
+You need create permissions.yml file in your Project/config folder.
+
+    Format : /config/permissions.yml   
+    _____________________________________________________________
+    |:default:							|
+    |  :readonly: [:attribute1, :attribute2]			|
+    |  :hiddenonly: [:attribute1, :attribute2]			|
+    |  :createonly: [:attribute1, :attribute2]			|
+    |  :updateonly: [:attribute1, :attribute2]			|
+    |:role_1:							|
+    |  :class_name_1:						|
+    |    :readonly: [:attribute1, :attribute2]			|
+    |    :hiddenonly: [:attribute1, :attribute2]		|
+    |    :createonly: [:attribute1, :attribute2]		|
+    |    :updateonly: [:attribute1, :attribute2]		|
+    |    :permit_to: [:attribute1, :attribute2]			|
+    |  :class_name_2:						|
+    |    :permit_to: [:attribute1, :attribute2]			|
+    |:role_2:							|
+    |  :class_name_1:						|
+    |    :permit_to: [:attribute1, :attribute2]			|
+    |  :class_name_2:						|
+    |    :permit_to: [:attribute1, :attribute2]			|
+    |								|
+    |								|
+    |								|
+    |___________________________________________________________|
+
+    where
+    - role_1, role_2 are the roles of user
+    - class_name_1, class_name_2 are the class name or Model name
+    - readonly, hiddenonly, createonly, updateonly - To set restriction on specific role.
+    - permit_to: []  feature to set permission to change value of added attributes.
+    - default: provides common restricted attributes for all classes of all roles like id, create_at, updated_at.
+    
+
+
+
+======================================================================================================================
+------------------------------------------ Examples Set 1 ------------------------------------------------------------
+
+
+# Example 1 Simple one (without use of :declarative tag feature)
+================================================================
+
+    class Post < ActiveRecord::Base
+        has_restricted_attributes :read_only => [:status],
+                            :create_only => [:title, :publish],
+                            :update_only => [:tags],
+			    :hidden_only => [:activated],
+                            :read_only_message => "is a read only attribute",
+                            :create_only_message => "can't update, its permitted to create only.",
+                            :update_only_message => "can't add, its permitted to update only."
+    end
+
+
+
+    So, the restricted attributes will be as shown in following table.
+    
+    #Post Model :
+
+    |-----------|-------------------------------------------------------------|
+    |           |( Read/Hidden Only ) |  ( Create Only )  |  (Update Only )   |
+    |           | :status /:activated | :title, :publish  |     :tags         |
+    |           |-------------------------------------------------------------|
+    |   Can ->  |   Create  |  Update | Create  | Update  | Create  | Update  |
+    |-----------|-----------|---------|-------------------|-------------------|
+    |   Any     |           |         |         |         |         |         |
+    |   User    |     NO    |    NO   |  YES    |   NO    |   NO    |  YES    |
+    |           |           |         |         |         |         |         |
+    ---------------------------------------------------------------------------
+
+    Console Output :
+    ---------------
+
+    >> post = Post.new(:status => true, :title => "New Title", :tags => "new, topic")
+    >> post.save
+    => false
+
+    >> post.errors
+    => #<OrderedHash {:status => ["is a read only attribute"], :tags=>["can't add, its permitted to update only."]}>
+
+    # for hidden attributes
+    >> post = Post.new(:activated => true)
+    >> post.save
+    => false
+
+    >> post.errors
+    => #<OrderedHash {:status => ["is a hidden attribute"]}>
+    OR
+    >> post.is_restricted?(:read, :activated)  # To check :activated field is restricted to read.
+    => true
+
+
+
+----------------------------------------------------------------------------------------------------------------------
+
+
+# Example 2 : (with :declarative => true tag feature)
+=====================================================
+
+Step 1 :
+
+    class User < ActiveRecord::Base
+        has_restricted_attributes :read_only => [:logged_in],
+                            :create_only => [:login, :email],
+                            :update_only => [:bio],
+                            :declarative => true
+
+    end
+
+    class Post < ActiveRecord::Base
+        has_restricted_attributes :read_only => [:status],
+                            :create_only => [:title, :publish],
+                            :update_only => [:tags],
+			    :hidden_only => [:activated],
+                            :declarative => true,
+                            :read_only_message => "is a read only attribute",
+                            :create_only_message => "can't update, its permitted to create only.",
+                            :update_only_message => "can't add, its permitted to update only."
+    end
+
+
+Step 2 :
+
+    Create permissions.yml file in your Project/config/ folder.
+    and add roles & permissions for the user as shown in following example.
+
+    *Here you can set permission to change the value of restricted attributes on the basis of role system.
+
+    Example:
+    ## /config/permissions.yml
+     ___________________________________________________________
+    |:default:							|
+    |  :readonly: [:created_at, :updated_at]			|
+    |:global_admin:						|
+    |  :user:							|
+    |    :permit_to: [:logged_in, :login, :email, :bio] 	|
+    |  :post:							|
+    |    :permit_to: [:title, :status, :publish, :tags]		|
+    |:member:							|
+    |  :user:							|
+    |    :permit_to: [:email]					|
+    |  :post:							|
+    |    :permit_to: [:publish]         			|
+    |								|
+    |								|
+    |								|
+    |								|
+    |___________________________________________________________|
+
+    # where in that,
+    1 :global_admin , :member are the roles of user. [ROLE]
+    2 :user , :post are the class names [CLASS/MODEL]
+    3 :permit_to: [] here you can add those attributes which will be permitted for appropriate User [ATTRIBUTES]
+    4 :default: you can add common attributes to restrict the access for all classes.
+
+Result :
+
+   So, the permissions on restricted attributes for global_admin and member
+   user will be as shown in following table.
+   #Post Model :
+
+    |---------------|-----------------------------------------------------------------|
+    |               |   ( Read Only )    |  ( Create Only )       |  (Update Only )   |
+    |               |     :status        |   :title, :publish     |     :tags         |
+    |               |-----------------------------------------------------------------|
+    |   Can  ->     |  Create  |  Update | Create   |  Update     | Create  | Update  |
+    |---------------|----------|---------|----------|-------------|-------------------|
+    |               |          |         |          |             |         |         |
+    |   User        |   YES    |   YES   |   YES    |   YES       |  YES    |  YES    |
+    |(global_admin) |          |         |          |             |         |         |
+    |               |          |         |          |             |         |         |
+     ----------------------------------------------------------------  ----------------
+    |               |          |         |          |             |         |         |
+    |   User        |    NO    |   NO    |   YES    | NO-:title   |   NO    |  YES    |
+    |  (member)     |          |         |          |YES-:publish |         |         |
+    |               |          |         |          |             |         |         |
+    |---------------------------------------------------------------------------------|
+
+
+
+--------------------------------------------- End Examples Set 1 -----------------------------------------------------
+======================================================================================================================
+
+
+
+
+
+Helper Method & Instance Method ( For View & Controller files )
+===============================================================
+
+
+1 Helper Method `is_restricted?()` :
+------------------------------------
+
+    Syntax:
+    ------------------------------------------------------------
+    |   is_restricted?(Klass, action, field, user(optional))   |
+    ------------------------------------------------------------
+
+     This method accepts min 3 to max 4 arguments :
+
+     1 Klass    # This is a mandatory & first argument of this method.
+                # Should be valid class (i.e Model Name), no String.
+                # Should be in constantize format
+                # Ex :  User ,  Post,  Comment
+
+     2 action   # This is a mandatory & second argument of this method.
+                # Valid actions : "create" or "update" or "read".
+                # Should be either in symbol or in string format
+                # Ex :  :create or :update or :read  or "create" or "update" or "read"
+
+     3 field    # This is a mandatory & third argument of this method.
+                # Should be valid attributes/field of that model or related db table.
+                # Should be either in symbol or in string format
+                # Ex :  :title or "title"
+
+     *4 user    # This is Optional & last argument of this method.
+                # IMPORTANT NOTE - Useful only if you are using declarative_authorization plugin/gem and
+                # has_restricted_attributes method with :declarative => true tag in your specified model.
+
+                # Should be either valid User object or nil (don't pass any fourth argument)
+                # Ex :  current_user (where current_user should be object of valid User record.)
+
+
+
+2 Instance Method `is_restricted?()` :
+--------------------------------------
+
+    Syntax:
+    --------------------------------------------------------------
+    |    object.is_restricted?(action, field, user(optional))    |
+    --------------------------------------------------------------
+
+     This method accepts min 2 to max 3 arguments :
+
+     1 action   # This is a mandatory & first argument of this method.
+                # Valid actions : "create" or "update" or "read".
+                # Should be either in symbol or in string format
+                # Ex :  :create or :update or :read  or "create" or "update" or "read"
+
+     2 field    # This is a mandatory & second argument of this method.
+                # Should be valid attributes/field of that model or related db table.
+                # Should be either in symbol or in string format
+                # Ex :  :title or "title"
+
+     *3 user    # This is Optional & last argument of this method.
+                # IMPORTANT NOTE - Useful only if you are using declarative_authorization plugin/gem and
+                # has_restricted_attributes method with :declarative => true tag in your specified model.
+
+                # Should be either valid User object or nil (don't pass any fourth argument)
+                # Ex :  current_user (where current_user should be object of valid User record.)
+
+
+
+
+======================================================================================================================
+------------------------------------------ Examples Set 2 ------------------------------------------------------------
+
+
+
+# Example 1 ( Use of Helper Method )
+====================================
+
+    # /models/post.rb
+    class Post < ActiveRecord::Base
+        has_restricted_attributes :read_only => [:active],
+                            :create_only => [:title],
+                            :declarative => true,
+                            :update_only => [:abuse],
+			    :read_only_message => "is a read only attribute"
+    end
+
+    ## /config/permissions.yml
+     ___________________________________________________________
+    |:global_admin:						|
+    |  :post:							|
+    |    :permit_to: [:title, :description]			|
+    |___________________________________________________________|
+    Here I added permission for global_admin role.
+
+
+    So for this post class we can check its particular field is restricted or not.
+    (You can use this method in controller, view and helper file.)
+
+    # CASE 1 - :declarative => true
+    
+        -----------------------------------------------------
+        |      is_restricted?(Post, :update, :title)        |
+        -----------------------------------------------------
+        
+        - return true(:title is restricted) for logged in user if his role is NOT a global_admin
+        - return false(:title is NOT restricted) for logged in user if his role is a global_admin
+
+        OR
+
+        -----------------------------------------------------------------
+        |      user = User.find(params[:id])  # any global_admin user   |
+        |      is_restricted?(Post, :update, :title, user)              |
+        -----------------------------------------------------------------
+
+        - return true(:title is restricted) for `user` if his role is NOT a global_admin
+        - return false(:title is NOT restricted) for `user` if his role is a global_admin
+
+
+     # CASE 2 - :declarative => false  or if not added in model.
+     
+        ---------------------------------------------------------------------------------
+        |      is_restricted?(Post, :update, :title) # don't pass fourth argument       |
+        ---------------------------------------------------------------------------------
+
+        - return true(:title is restricted)
+
+
+
+
+
+
+# Example 2 ( Use of Instance Method )
+=======================================
+
+    # /models/post.rb
+    class Post < ActiveRecord::Base
+        has_restricted_attributes :read_only => [:active],
+                            :create_only => [:title],
+                            :declarative => true,
+                            :update_only => [:abuse],
+			    :read_only_message => "is a read only attribute"
+    end
+
+    ## /config/permissions.yml
+     ___________________________________________________________
+    |:global_admin:						|
+    |  :post:							|
+    |    :permit_to: [:title, :description]			|
+    |___________________________________________________________|
+    Here I added permission for global_admin role.
+
+
+    So for this post class we can check its particular field is restricted or not.    
+
+    # CASE 1 - :declarative => true
+
+        -----------------------------------------------------
+        |      post = Post.find(params[:id])                |
+        |      post.is_restricted?(:update, :title)         |
+        -----------------------------------------------------
+
+        - return true(:title is restricted) for logged in user if his role is NOT a global_admin
+        - return false(:title is NOT restricted) for logged in user if his role is a global_admin
+
+        OR
+
+        -------------------------------------------------------------------------
+        |      user = User.find(params[:id])  # any global_admin user           |
+        |      post = Post.find(params[:id])                                    |
+        |      post.is_restricted?(:update, :title, user)                       |
+        -------------------------------------------------------------------------
+
+        - return true(:title is restricted) for `user` if his role is NOT a global_admin
+        - return false(:title is NOT restricted) for `user` if his role is a global_admin
+
+
+     # CASE 2 - :declarative => false  or if not added in model.
+
+        -----------------------------------------------------------------------------
+        |      post = Post.find(params[:id])                                        |
+        |      is_restricted?(:update, :title) # don't pass third argument          |
+        -----------------------------------------------------------------------------
+
+        - return true(:title is restricted)
+
+
+
+
+--------------------------------------------- End Examples Set 2 -----------------------------------------------------
+======================================================================================================================
+
+
+
+
+
+Valuable Contribution :
+Rahul Agarwal, Kevin Williams.
+
+===========================================================================
+Easiest way to contact me(Ganesh Kathare):
+My email - kathare[dot]ganesh[at]gmail[dot]com (kathare.ganesh@gmail.com)
+===========================================================================
+
+Copyright (c) 2011 Ganesh Kathare, Navi Mumbai MH, India. released under the MIT license
+

data/Rakefile

@@ -0,0 +1,37 @@
+require 'rubygems'
+require 'rake'
+require 'rake/clean'
+require 'rake/gempackagetask'
+require 'rake/rdoctask'
+require 'rake/testtask'
+
+
+PKG_FILES = FileList[
+  '[a-zA-Z]*',
+  'lib/**/*',
+  'test/**/*'
+]
+ 
+spec = Gem::Specification.new do |s|
+  s.name = "restricted_attributes"
+  s.version = "1.0.0"
+  s.author = "Ganesh Kathare"
+  s.email = "kathare.ganesh@gmail.com"
+  s.homepage = "https://github.com/gkathare"
+  s.platform = Gem::Platform::RUBY
+  s.summary = "Sharing restricted_attributes"
+  s.files = PKG_FILES.to_a
+  s.require_path = "lib"
+  s.has_rdoc = false
+  s.extra_rdoc_files = ["README"]
+  s.description = <<EOF
+  This restricted_attributes plugin/gem provides the capabilities to restrict attributes(fields) 
+  of db table's while add or update a record. It validate your attributes values before
+  your validation stuff.
+EOF
+end
+
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.need_zip = true
+  pkg.need_tar = true
+end

data/init.rb

@@ -0,0 +1,3 @@
+# Include hook code here
+$:.unshift "#{File.dirname(__FILE__)}/lib"
+require 'restricted_attributes'

data/lib/restricted/restricted_attrib.rb

@@ -0,0 +1,130 @@
+module RestrictedAttrib
+ 
+  ## Class Methods
+  module ClassMethods
+    def self.extended(base)
+       base.before_validation :check_for_restricted_values
+    end
+  end
+
+  ## Instance Methods
+  module InstanceMethods
+    # check the changed attributes of a class are restricted or not.
+    def check_for_restricted_values
+      
+      if self.declarative # Using declarative_authorization roles system
+        roles = RestrictedRightsManager.get_roles(Authorization.current_user,self)
+        restrict_read_only = RestrictedRightsManager.get_readonly_fields(roles,self)
+        restrict_create_only = RestrictedRightsManager.get_createonly_fields(roles,self)
+        restrict_update_only = RestrictedRightsManager.get_updateonly_fields(roles,self)
+        restrict_hidden_only = RestrictedRightsManager.get_hiddenonly_fields(roles,self)
+      else # simple one
+        restrict_read_only = self.read_only
+        restrict_create_only = self.create_only
+        restrict_update_only = self.update_only
+        restrict_hidden_only = self.hidden_only
+      end
+
+      # check for read only attributes
+      unless restrict_read_only.blank?
+        restrict_read_only.each do |ro|
+          if self.changed.include?(ro) || !eval("self.instance_variable_get :@#{ro}").blank?
+            self.errors.add(ro.humanize, self.read_only_message)
+          end
+        end
+      end
+
+      # check for create only attributes
+      if !restrict_create_only.blank? && !self.new_record?
+        restrict_create_only.each do |co|
+          if self.changed.include?(co) || !eval("self.instance_variable_get :@#{co}").blank?
+            self.errors.add(co.humanize, self.create_only_message)
+          end
+        end
+      end
+
+      # check for update only attributes
+      if !restrict_update_only.blank? && self.new_record?
+        restrict_update_only.each do |uo|
+          if self.changed.include?(uo) || !eval("self.instance_variable_get :@#{uo}").blank?
+            self.errors.add(uo.humanize, self.update_only_message)
+          end
+        end
+      end
+
+      # check for hidden only attributes
+      if !restrict_hidden_only.blank?
+        restrict_hidden_only.each do |ho|
+          if self.changed.include?(ho) || !eval("self.instance_variable_get :@#{ho}").blank?
+            self.errors.add(ho.humanize, self.hidden_only_message)
+          end
+        end
+      end
+      
+      # will return validation result
+      return false unless self.errors.blank?
+    end
+
+    def is_restricted?(action, field, user = nil)
+      action = action.to_s
+      field = field.to_s
+      klass = self.class
+      klass_object = self
+
+      unless klass_object.methods.include?("read_only")
+         raise NoMethodError, "undefined method `is_restricted?` for #{klass} model. You need to add `has_restricted_method` method in #{klass} model."
+      end
+
+      if action.nil? || !['create', 'update', 'read'].include?(action)
+        raise ArgumentError, "Invalid action - (#{action}), Pass valid action - :read or :create or :update or 'read' or 'create' or 'update'"
+      end
+
+      klass_attributes = klass_object.attributes.keys
+      if field.nil? || (!klass_attributes.include?(field) && !klass_object.methods.include?("#{field}="))
+        raise ActiveRecord::UnknownAttributeError, "#{klass}: unknown attribute(field): #{field}"
+      end
+
+      if klass_object.declarative
+        begin
+          user.roles if user
+        rescue
+          raise ArgumentError, "invalid user (#{user}) paramater sent with `is_restricted?` method."
+        end
+        present_user = Authorization.current_user
+        Authorization.current_user = user if user && user.roles
+
+        roles = RestrictedRightsManager.get_roles(Authorization.current_user,klass_object)
+        restrict_read_only = RestrictedRightsManager.get_readonly_fields(roles,klass_object)
+        restrict_create_only = RestrictedRightsManager.get_createonly_fields(roles,klass_object)
+        restrict_update_only = RestrictedRightsManager.get_updateonly_fields(roles,klass_object)
+        restrict_hidden_only = RestrictedRightsManager.get_hiddenonly_fields(roles,klass_object)
+
+        Authorization.current_user = present_user if user && user.roles
+      else
+        restrict_read_only = klass_object.read_only
+        restrict_create_only = klass_object.create_only
+        restrict_update_only = klass_object.update_only
+        restrict_hidden_only = klass_object.hidden_only
+      end
+
+      if action == "create" || action == "update" || action == "read"
+        return true if !restrict_hidden_only.blank? && restrict_hidden_only.include?(field)
+      end
+
+      if action == "create" || action == "update"
+        return true if !restrict_read_only.blank? && restrict_read_only.include?(field)
+      end
+
+      if action == "create"
+        return true if !restrict_update_only.blank? && restrict_update_only.include?(field)
+      end
+
+      if action == "update"
+        return true if !restrict_create_only.blank? && restrict_create_only.include?(field)
+      end
+      return false
+    end
+
+  end
+end
+

data/lib/restricted_attributes.rb

@@ -0,0 +1,154 @@
+require "restricted/restricted_attrib"
+require "restricted_rights_manager"
+
+module RestrictedAttributes
+
+  module Restricted
+
+    def has_restricted_attributes(options = {})
+      cattr_accessor :read_only, :create_only, :update_only, :hidden_only
+      cattr_accessor :read_only_message, :create_only_message, :update_only_message, :hidden_only_message
+      cattr_accessor :declarative
+      
+      if options[:declarative] && options[:declarative] == true
+        # To check existence of declarative_authorization plugin/gem in present application.
+        begin
+          Authorization.current_user
+        rescue Exception => e
+          raise "Sorry, :declarative tag can't support to your application. Please follow documentation of restricted_attributes" if e.class == NameError
+        end
+        self.declarative = true
+        RestrictedRightsManager.load_config
+        RestrictedRightsManager.version=Time.now.utc.to_i
+      else
+        self.declarative = false
+      end
+      
+      # set the read only attributes of a class
+      if options[:read_only]
+        only_read = []
+        if options[:read_only].is_a?(Array)
+          only_read = options[:read_only].collect {|r| r.to_s }
+        else
+          only_read << options[:read_only].to_s
+        end
+        self.read_only = only_read
+      end
+
+      # set the create only attributes of a class
+      if options[:create_only]
+        only_create = []
+        if options[:create_only].is_a?(Array)
+          only_create = options[:create_only].collect {|c| c.to_s }
+        else
+          only_create << options[:create_only].to_s
+        end
+        self.create_only = only_create
+      end
+
+      # set the create only attributes of a class
+      if options[:update_only]
+        only_update = []
+        if options[:update_only].is_a?(Array)
+          only_update = options[:update_only].collect {|u| u.to_s }
+        else
+          only_update << options[:update_only].to_s
+        end
+        self.update_only = only_update
+      end
+
+      # set the hidden only attributes of a class
+      if options[:hidden_only]
+        only_hidden = []
+        if options[:hidden_only].is_a?(Array)
+          only_hidden = options[:hidden_only].collect {|u| u.to_s }
+        else
+          only_hidden << options[:hidden_only].to_s
+        end
+        self.hidden_only = only_hidden
+      end
+
+      # Default validation messages
+      ro_msg = "is a read only attribute."
+      co_msg = "can't update, its permitted to create only."
+      uo_msg = "can't add, its permitted to update only."
+      ho_msg = "is a hidden attribute."
+
+      # assign validation messages to restricted attributes
+      self.read_only_message = options[:read_only_message] ? options[:read_only_message].to_s : ro_msg
+      self.create_only_message = options[:create_only_message] ? options[:create_only_message].to_s : co_msg
+      self.update_only_message = options[:update_only_message] ? options[:update_only_message].to_s : uo_msg
+      self.hidden_only_message = options[:hidden_only_message] ? options[:hidden_only_message].to_s : ho_msg
+
+      extend RestrictedAttrib::ClassMethods
+      include RestrictedAttrib::InstanceMethods      
+    end    
+  end
+
+  module RestrictedHelpers
+    def is_restricted?(klass, action, field, user = nil)
+      action = action.to_s
+      field = field.to_s
+      raise ArgumentError, "Must pass valid class" if klass.nil? || !klass.is_a?(Class)
+
+      klass_object = klass.new
+
+      unless klass_object.methods.include?("read_only")
+         raise NoMethodError, "undefined method `is_restricted?` for #{klass} model. You need to add `has_restricted_attributes` method in #{klass} model."
+      end
+      
+      if action.nil? || !['create', 'update', 'read'].include?(action)
+        raise ArgumentError, "Invalid action - (#{action}), Pass valid action - :read or :create or :update or 'read' or 'create' or 'update'"
+      end
+
+      klass_attributes = klass_object.attributes.keys
+      if field.nil? || !klass_attributes.include?(field)
+        raise ActiveRecord::UnknownAttributeError, "#{klass}: unknown attribute(field): #{field}"
+      end
+
+      if klass_object.declarative
+        begin
+          user.roles if user
+        rescue
+          raise ArgumentError, "invalid user (#{user}) paramater sent with `is_restricted?` method."
+        end
+        present_user = Authorization.current_user
+        Authorization.current_user = user if user && user.roles
+
+        roles = RestrictedRightsManager.get_roles(Authorization.current_user,klass_object)
+        restrict_read_only = RestrictedRightsManager.get_readonly_fields(roles,klass_object)
+        restrict_create_only = RestrictedRightsManager.get_createonly_fields(roles,klass_object)
+        restrict_update_only = RestrictedRightsManager.get_updateonly_fields(roles,klass_object)
+        restrict_hidden_only = RestrictedRightsManager.get_hiddenonly_fields(roles,klass_object)
+
+        Authorization.current_user = present_user if user && user.roles
+      else
+        restrict_read_only = klass_object.read_only
+        restrict_create_only = klass_object.create_only
+        restrict_update_only = klass_object.update_only
+        restrict_hidden_only = klass_object.hidden_only
+      end
+
+      if action == "create" || action == "update" || action == "read"
+        return true if !restrict_hidden_only.blank? && restrict_hidden_only.include?(field)
+      end
+      
+      if action == "create" || action == "update"
+        return true if !restrict_read_only.blank? && restrict_read_only.include?(field)
+      end
+      
+      if action == "create"
+        return true if !restrict_update_only.blank? && restrict_update_only.include?(field)
+      end
+
+      if action == "update"
+        return true if !restrict_create_only.blank? && restrict_create_only.include?(field)
+      end      
+      return false
+    end
+  end
+end
+
+ActiveRecord::Base.send(:extend, RestrictedAttributes::Restricted)
+ActionView::Base.send(:include, RestrictedAttributes::RestrictedHelpers)
+ActionController::Base.send(:include, RestrictedAttributes::RestrictedHelpers)

data/lib/restricted_rights_manager.rb

@@ -0,0 +1,114 @@
+require "active_model"
+
+class RestrictedRightsManager
+
+  cattr_accessor :rights, :version
+  attr_accessor :obj_name, :role_name
+
+  def initialize(attribs={})
+    self.obj_name=attribs[:obj_name]
+    self.role_name=attribs[:role_name]
+  end
+
+  def self.get_readonly_fields(roles, obj)
+    resp=Rails.cache.fetch([RestrictedRightsManager.version,roles.to_s,obj.class.name,"read_only_fields"].join("_")){
+    RestrictedRightsManager.get_restricted_fields(roles, obj, :readonly)
+    }
+    resp
+  end
+
+  def self.get_createonly_fields(roles, obj)
+    resp=Rails.cache.fetch([RestrictedRightsManager.version,roles.to_s,obj.class.name,"create_only_fields"].join("_")){
+    RestrictedRightsManager.get_restricted_fields(roles, obj, :createonly)
+    }
+    resp
+  end
+
+  def self.get_updateonly_fields(roles, obj)
+    resp=Rails.cache.fetch([RestrictedRightsManager.version,roles.to_s,obj.class.name,"update_only_fields"].join("_")){
+    RestrictedRightsManager.get_restricted_fields(roles, obj, :updateonly)
+    }
+    resp
+  end
+
+  def self.get_hiddenonly_fields(roles, obj)
+    resp=Rails.cache.fetch([RestrictedRightsManager.version,roles.to_s,obj.class.name,"hidden_only_fields"].join("_")){
+    RestrictedRightsManager.get_restricted_fields(roles, obj, :hiddenonly)
+    }
+    resp
+  end
+
+
+  def self.get_restricted_fields(roles, obj, access_type)
+    resp=Rails.cache.fetch([RestrictedRightsManager.version,roles.to_s,obj.class.name,access_type.to_s].join("_")){
+    #obj_name=obj.class.name.underscore.downcase
+
+      
+      # get default fields for all objects
+      begin
+        case access_type
+          when :readonly
+            default_fields = obj.read_only || []
+          when :createonly
+            default_fields = obj.create_only || []
+          when :updateonly
+            default_fields = obj.update_only || []
+          when :hiddenonly
+            default_fields = obj.hidden_only || []
+          else
+            default_fields = []
+        end
+      rescue
+        default_fields = []
+      end
+
+      begin
+        if RestrictedRightsManager.rights[:default] && RestrictedRightsManager.rights[:default][access_type]
+          default_fields2 = RestrictedRightsManager.rights[:default][access_type]
+        else
+          default_fields2 = []
+        end
+      rescue
+        default_fields2 = []
+      end
+      default_fields2 = default_fields2.collect{|d| d.to_s}
+      default_fields |= default_fields2
+
+      begin
+      	permitted_fields, role_fields = [], []
+        roles.each do |role_name|
+          if RestrictedRightsManager.rights[role_name]
+            self_klass_name = obj.class.name.underscore.downcase
+            base_klass_name = obj.class.base_class.name.underscore.downcase
+            klass_name = RestrictedRightsManager.rights[role_name].include?(self_klass_name) ? self_klass_name : base_klass_name
+
+            if RestrictedRightsManager.rights[role_name][klass_name]
+              permitted_fields |= RestrictedRightsManager.rights[role_name][klass_name][:permit_to] || []
+              role_fields |= RestrictedRightsManager.rights[role_name][klass_name][access_type] || []
+            end
+          end
+        end
+      rescue
+        permitted_fields, role_fields = [], []
+      end
+      permitted_fields = permitted_fields.collect{|p| p.to_s}
+      role_fields = role_fields.collect{|p| p.to_s}
+      ro_fields = default_fields - permitted_fields
+      ro_fields |= role_fields }
+    resp
+  end
+
+  def self.load_config
+    RestrictedRightsManager.rights = HashWithIndifferentAccess.new(YAML.load_file("#{Rails.root}/config/permissions.yml"))
+  end
+
+  def self.get_roles(user,obj)
+    roles=user.roles
+    return (roles.blank?) ? [] : roles.collect {|role| role.title }
+  end
+end
+
+
+
+
+

data/test/restricted_attributes_test.rb

@@ -0,0 +1,8 @@
+require 'test_helper'
+
+class RestrictedAttributesTest < ActiveSupport::TestCase
+  # Replace this with your real tests.
+  test "the truth" do
+    assert true
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,3 @@
+require 'rubygems'
+require 'test/unit'
+require 'active_support'

metadata

@@ -0,0 +1,64 @@
+--- !ruby/object:Gem::Specification 
+name: restricted_attributes
+version: !ruby/object:Gem::Version 
+  prerelease: 
+  version: 1.0.0
+platform: ruby
+authors: 
+  - Ganesh Kathare
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-07-19 00:00:00 +05:30
+default_executable: 
+dependencies: []
+
+description: "  This restricted_attributes plugin/gem provides the capabilities to restrict attributes(fields) \n  of db table's while add or update a record. It validate your attributes values before\n  your validation stuff.\n"
+email: kathare.ganesh@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+  - README
+files: 
+  - init.rb
+  - MIT-LICENSE
+  - Rakefile
+  - README
+  - lib/restricted_attributes.rb
+  - lib/restricted_rights_manager.rb
+  - lib/restricted/restricted_attrib.rb
+  - test/restricted_attributes_test.rb
+  - test/test_helper.rb
+has_rdoc: true
+homepage: https://github.com/gkathare
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+  - lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.5.1
+signing_key: 
+specification_version: 3
+summary: Sharing restricted_attributes
+test_files: []
+